iOS(十三)使用 bfinject 注入iOS 11_cycript & 砸壳
0x0 前言
由于工作需要使用cycript等工具,但由于 sariku 和 coolstar 神仙打架,导致cycript在ios 11上无法直接运行,所以需要用bfinject工具来运行cycript。
0x1 bfinject安装使用
bfinject的安装使用比较简单,参考github源码:https://github.com/BishopFox/bfinject
安装bfinject:
$ wget https://github.com/BishopFox/bfinject/raw/master/bfinject.tar .
$ scp bfinject.tar root@192.168.1.104:~/
$ ssh root@192.168.1.104
iPhone:~/bfinject root# mkdir bfinject
iPhone:~/bfinject root# mv bfinject.tar ./bfinject
iPhone:~/bfinject root# cd bfinject
iPhone:~/bfinject root# tar xvf bfinject.tar
使用bfinjec,可以看到bfinject内置了注入工具cycript和砸壳工具decrypt,且支持其他dylib的注入:
iPhone:~/bfinject root# bash bfinject
Syntax: bfinject [-p PID | -P appname] [-l /path/to/yourdylib | -L feature]
For example:
bfinject -P Reddit.app -l /path/to/evil.dylib # Injects evil.dylib into the Reddit app
or
bfinject -p 1234 -L cycript # Inject Cycript into PID
or
bfinject -p 4566 -l /path/to/evil.dylib # Injects the .dylib of your choice into PID
Instead of specifying the PID with -p, bfinject can search for the correct PID based on the app name.
Just enter "-P identifier" where "identifier" is a string unique to your app, e.g. "fing.app".
Available features:
cycript - Inject and run Cycript
decrypt - Create a decrypted copy of the target app
test - Inject a simple .dylib to make an entry in the console log
ispy - Inject iSpy. Browse to http://<DEVICE_IP>:31337/
0x11 使用bfinjec 内置的Cycript注入app:
iPhone:~/bfinject root# bash bfinject -P SYHDAppPayProject -L cycript
执行成功后iPhone会弹框提示
cycript loaded!并开启监听1337端口,mac端开启cycript远程连接即可:$ cycript -r 192.168.1.104:1337
cy# [[NSBundle mainBundle] bundleIdentifier]
@"com.tmgigame.apppaytool"
cy# [[NSBundle mainBundle] bundlePath]
@"/var/containers/Bundle/Application/C438C976-2657-46F1-83BE-07F2DFBAF5A7/SYHDAppPayProject.app"
cy# [[NSFileManager defaultManager ] URLsForDirectory:NSDocumentDirectory inDomains: NSUserDomainMas]
@[#"file:///var/mobile/Containers/Data/Application/BB2EB568-851B-42F4-AD1F-B9B4D5295755/Documents/"]
ruby版本过高导致cycript执行失败
如果ruby版本过高,cycript会执行失败:
$ cycript
dyld: Library not loaded: /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/libruby.2.0.0.dylib
Referenced from: /usr/local/share/cycript_0.9.594/Cycript.lib/cycript-apl
Reason: image not found
安装对应版本并拷贝到Cycript.lib目录下即可:
$ brew install ruby@2.0
$ cp /usr/local/Cellar/ruby@2.0/2.0.0-p648_6/lib/libruby.2.0.0.dylib /usr/local/share/cycript_0.9.594/Cycript.lib/
$ cycript
cy#
0x12 使用bfinject砸壳
使用bfinject砸壳也很简单,只需要将cycript参数换成decrypt即可:
iPhone:~/bfinject root# bash bfinject -P SYHDAppPayProject -L decrypt
[+] Electra detected.
[+] Injecting into '/var/containers/Bundle/Application/C438C976-2657-46F1-83BE-07F2DFBAF5A7/SYHDAppPayProject.app/SYHDAppPayProject'
[+] Getting Team ID from target application...
[+] Thinning dylib into non-fat arm64 image
[+] Signing injectable .dylib with Team ID MLP6RB876U and platform entitlements...
[bfinject4realz] Calling task_for_pid() for PID 378.
[bfinject4realz] Calling thread_create() on PID 378
[bfinject4realz] Looking for ROP gadget... found at 0x1843594e0
[bfinject4realz] Fake stack frame at 0x12e63c000
[bfinject4realz] Calling _pthread_set_self() at 0x18459b778...
[bfinject4realz] Returned from '_pthread_set_self'
[bfinject4realz] Calling dlopen() at 0x184359460...
[bfinject4realz] Returned from 'dlopen'
[bfinject4realz] Success! Library was loaded at 0x1c01f0a00
[+] So long and thanks for all the fish.
执行完成后会在App的数据目录(通过上文cycript获取App数据目录路径)下生成脱壳ipa文件:
iPhone:/var/mobile/Containers/Data/Application/BB2EB568-851B-42F4-AD1F-B9B4D5295755/Documents root# ls -al
total 17772
drwxr-xr-x 5 mobile mobile 160 May 30 13:14 ./
drwxr-xr-x 8 mobile mobile 256 May 27 09:48 ../
drwxr-xr-x 3 mobile mobile 96 May 27 10:37 .UTSystemConfig/
-rw-r--r-- 1 mobile mobile 17670111 May 30 13:09 decrypted-app.ipa
-rw-r--r-- 1 mobile mobile 1466 May 30 10:33 user.arch
0x2 bfinject在iOS11.2及以上版本的坑
目前 bfinject 的项目源码仅支持 Dylib 注入的系统为 iOS 11.0 - 11.1.2, 但是现在手头上工作设备为 iOS 11.2,所以会有一些坑:
参考:https://itreefly.com/posts/3ab7b72b.html
参考:https://itreefly.com/posts/3ab7b72b.html
[!] Unknown jailbreak. Aborting.
未检索到相应越狱后的文件,查看bfinject源码:
这是由于目前最新的 Electra 越狱后系统里bootstrap 目录名更改为 electra 了:# # Detect LiberiOS vs Electra # if [ -f /bootstrap/inject_criticald ]; then # This is Electra echo "[+] Electra detected." cp jtool.liberios /bootstrap/usr/local/bin/ chmod +x /bootstrap/usr/local/bin/jtool.liberios JTOOL=/bootstrap/usr/local/bin/jtool.liberios cp bfinject4realz /bootstrap/usr/local/bin/ INJECTOR=/bootstrap/usr/local/bin/bfinject4realziPhone:~/bfinject root# ls /electra/ amfid_payload.dylib* inject_criticald* jailbreakd_client* pspawn_payload.dylib* helloworld* jailbreakd* libjailbreak.dylib*iPhone:~/bfinject root# ln -s /electra /bootstrap iPhone:~/bfinject root# mkdir /bootstrap/usr iPhone:~/bfinject root# mkdir /bootstrap/usr/local iPhone:~/bfinject root# mkdir /bootstrap/usr/local/binmd5: command not found
使用md5sum替代md5:$ ln -s /usr/bin/md5sum /usr/bin/md5
bfinject注入模块与[bfinject4realz] Failed to create thread in remote process. This most likely is caused by "Tweaks" being enabled in Electra. Please try rebooting and re-jailbreaking with "Tweaks" disabled.Tweaks有冲突,重启后重新越狱时取消Tweaks选项即可
0x3 原生cycript的killed 9问题
原生cycript的killed 9是由于cydia substrate框架不支持导致的,并非签名问题,从saurik的cydia源下载的cycript签名如下:
$ codesign -vvd cycript
Executable=/*/*/cycript
Identifier=cycript_
Format=Mach-O universal (armv6 arm64)
CodeDirectory v=20200 size=632 flags=0x0(none) hashes=23+5 location=embedded
Signature size=8520
Authority=Developer ID Application: Jay Freeman (YN3GF3Y6DG)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Aug 29, 2016 at 04:29:15
Info.plist=not bound
TeamIdentifier=YN3GF3Y6DG
Sealed Resources=none
Internal requirements count=1 size=168
0 评论:
发表评论